This post is a fairly comprehensive reference to Advanced Policy Firewall (apf-firewall), a user-friendly interface of iptables. We will also cover BFD (bfd), a script that automates IP blocking using APF.

Basic Usage

What -a actually does is add the IP entry to the allow_hosts.rules file. -d does the same thing for deny_hosts.rules. -u removes the IP entry from either allow_hosts.rules or deny_hosts.rules, if it exists. All three commands will call apf -e as well.

Restrict on a per-IP basis

The most straightforward to do this is, as mentioned earlier, by using -a, -d and -u. Of course, you can edit allow_hosts.rules or deny_hosts.rules directly as well (specify each IP address on a new line).

Restrict on a per-port basis

By default, APF blocks a number of known malicious ports (see the main config file for an exhaustive list). To allow all incoming or outgoing connections on a per-port basis, we can edit the IG_TCP_CPORTS or EG_TCP_CPORTS setting respectively in APF’s main config file /etc/apf-firewall/conf.apf:

Ban Duration

I recommend setting this a lot higher than the default of 300 seconds. 21600 (6 hours), maybe?

Reactive Address Blocking

RAB="0"

Set this to “1” to activate APF’s reactive address blocking.

Subscriptions

APF can subscribe to known lists of bad IP addresses. The below is an abridged portion of the config file that deals with this:

##
# [Remote Rule Imports]
##
# Project Honey Pot is the first and only distributed system for identifying
# spammers and the spambots they use to scrape addresses from your website.
# This aggregate list combines Harvesters, Spammers and SMTP Dictionary attacks
# from the PHP IP Data at: http://www.projecthoneypot.org/list_of_ips.php
DLIST_PHP="0"
DLIST_PHP_URL="rfxn.com/downloads/php_list"
DLIST_PHP_URL_PROT="http"
# The Spamhaus Don't Route Or Peer List (DROP) is an advisory "drop all
# traffic" list, consisting of stolen 'zombie' netblocks and netblocks
# controlled entirely by professional spammers. For more information please
# see http://www.spamhaus.org/drop/.
DLIST_SPAMHAUS="0"
DLIST_SPAMHAUS_URL="www.spamhaus.org/drop/drop.lasso"
DLIST_SPAMHAUS_URL_PROT="http"
# DShield collects data about malicious activity from across the Internet.
# This data is cataloged, summarized and can be used to discover trends in
# activity, confirm widespread attacks, or assist in preparing better firewall
# rules. This is a list of top networks that have exhibited suspicious activity.
DLIST_DSHIELD="0"
DLIST_DSHIELD_URL="feeds.dshield.org/top10-2.txt"
DLIST_DSHIELD_URL_PROT="http"

BFD Configuration

BFD barely has any configuration (which is A Good Thing™). The below is pretty much it:

$ vim /usr/local/bfd/conf.bfd

You can set the threshold for the number of attempts before an IP address is blocked:

TRIG="15"

The default number of 15 is quite generous - I’d lower it to at most 5 or 6.

BFD also has email alerts:

EMAIL_ALERTS="1"
EMAIL_ADDRESS="wow@example.com"

We can add whitelisted IP addresses in:

$ vim /usr/local/bfd/ignore.hosts

IP addresses whitelisted by BFD are still subjected to APF’s rules - they do not have any influence on each other.

Finally, and most importantly, BFD is started with:

$ bfs -s

which will also start a cron job2 that goes through your access log files every 3 minutes and tells APF to ban any IP addresses that goes beyond the specified threshold in TRIG.

BFD Logs

BFD logs to /var/log/bfd_log.

Footnotes

I won’t be demonstrating this here, but this should apply to virtually any setting where an IP address is otherwise expected. ↩